01-09-2018 05:17 AM - edited 03-17-2019 11:54 AM
Hello Guys,
I'm setting a trunk sip between CUBEs and Internet SIP provider. (Twilio)
The incoming and outgoing calls work fine.
Now I want to set the SIP TLS and SRTP between Cube and Twilio.
My final idea is set the RTP-SRTP between CUBE and Twilio. The CUCM is not in mixed mode. So no certificates on my phones.
Like this:
The documentation from Twilio is not very clear for me.
https://www.twilio.com/docs/api/sip-trunking/getting-started#securetrunking
And the documentation from Cisco doesn't seem very complicated for SRTP-RTP
But the SIP TLS seems more complicated
So, I'm beginner in the security and I don't know by what to begin
Have you any advice to do it?
Thanks
Sébastien
06-25-2018 10:21 AM
Were you able to figure this out?
06-25-2018 01:34 PM
TLS and SRTP can be tricky. The SRTP isn't too bad as you don't have to worry about creating a trust point just for that.
TLS is another story. Many time when I've run into problems with TLS it's due to a certificate or trustpoint issue. Make sure you import the entire certificate chain up to the root cert. Adding to the complexity in your case is that you're setting this up between a Cisco CUBE and a third party.
What are you doing for certificates? Are you purchasing these from a third party CA or going with self-signed? You'll need to make sure that Twilio will accept your cert and vice versa.
06-26-2018 01:06 AM
Hello guys,
For the certificates, we generated a CSR on another server, then we have signed this by the CA authority that Twilio uses. ( FYI: Twilio said that they use the Globlasign as CA authority but it's not just. They use thawte)
Before to upload the certificate, we have converted from PEM to PKCS12 including certificate , signing ca ( root or intermediate ) and private key.
And to finish we have created the import certificate/key and generate trustpoint/RSA keypair
06-26-2018 05:42 AM
It seems like you have your certificates in order. What I would do next is make some non-secure test calls first just to verify the VoIP configuration. This way if there is an issue you're not chasing your tail thinking it's an encryption issue when it may be something with the basic call set up.
Then, configure TLS under sip-ua and test call set up again. When that's working enable SRTP and make your final test calls.
I don't have tons of experience with TLS/SRTP so there may be a better method of doing this but this is how I would work it.
05-22-2019 01:32 AM
Hi Sebastien,
Hope you are doing fine.
I may need your kind help here.
Have you complete the setup for secure SIP trunk between CUBE and ISP?
Do we need to build secure sip from GW to CUCM as well?
Please share some experience on this item, very appreciate it.
Looking forward your reply.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide